b'        U.S. Department of Energy\n        Office of Inspector General\n        Office of Audit Services\n\n\n\n\nEvaluation Report\nThe Department\'s Unclassified\nCyber Security Program - 2008\n\n\n\n\nDOE/IG-0801                      September 2008\n\x0c                               Department of Energy\n                                    Washington, DC 20585\n                                 September 1 6 , 2008\n\n\n\nMEMORANDUM FOR\n\nFROM:\n                         Inspector General\n\nSUBJECT:                 IIVFORMATION: Evaluation Report on "The Department\'s\n                         Unclassified Cyber Security Program - 2008"\n\nBACKGROUND\n\nThe Department of Energy anticipated spending about $250 million in Fiscal Year (FY)\n2008 to implement cyber security measures necessary to protect its information\ntechnology resources - systems and data critical to supporting its mission and business\nlines of energy security, nuclear security, scientific discovery and innovation,\nenvironmental responsibility, and management excellence. Security challenges and\nthreats to the Department of Energy\'s information systems are continually evolving.\nAdversaries routinely attempt to compromise its information technology assets. As these\nattacks become increasingly sophisticated, it is critical that the Department\'s cyber\nsecurity protective measures keep pace with the growing threat.\n\nThe Federal Information Security Management Act (FISMA) provides direction to\nagencies on the management and oversight of information security risks, including design\nand implementation of controls to protect Federal information and systems. As required\nby FISMA, the Office of Inspector General conducts an annual independent evaluation to\ndetermine whether the Department\'s unclassified cyber security program adequately\nprotects its information systems and data. This memorandum and the attached report\npresent the results of our evaluation for FY 2008.\n\nRESULTS OF EVALUATION\n\nThe Department continues to make incremental improvements in its unclassified cyber\nsecurity program. Our evaluation disclosed that various sites had taken action to address\nweaknesses previously indentified in our FY 2007 evaluation report by strengthening\nconfiguration management of networks and systems and by updating local policies and\nprocedures related to laptop computers and incident reporting. Further, the Office of\nChief Information Officer, the National Nuclear Security Administration (NNSA), and\nprogram elements had recently issued revised policy that provided direction on\nmanagement, operating, and technical security controls; and, officials had taken action to\nincorporate Federal cyber security perfonnance requirements into a number of\nmanagement and operating contracts. While these are positive accomplishments,\nadditional action is required to further enhance the Department\'s unclassified cyber\nsecurity program and help reduce risks to its systems and data. For example, our current\nreview identified opportunities for improvements in areas such as certification and\n\n\n\n                                 639   Printed with soy ink on recycled paper\n\x0caccreditation (C&A) of systems; systems inventory; contingency planning; and,\nsegregation of duties. Weaknesses that merit further attention include -thefollowing:\n\n       A number of C&A issues had been addressed, but problems, particularly in the\n       areas of assessing risks and ensuring the adequacy of security controls, had not\n       been completely resolved;\n\n       Site-level inventories were generally comprehensive and various automated\n       inventory tools had been piloted, however, a system for maintaining a centralized,\n       Department-wide inventory of information systems had not been completely\n       deployed;\n\n       Contingency planning had improved, yet some sites had not completed actions\n       necessary to ensure that system operation could be resumed in a timely manner in\n       the event of a major disruption to services;\n\n       Actions to address cyber incident response issues had been initiated but were not\n       yet complete;\n\n       In some instances, risks to systems had not always been fully assessed to provide\n       assurance that personally identifiable information was adequately protected from\n       loss or unauthorized disclosure; and,\n\n       While many previously identified vulnerabilities in access controls, configuration\n       management and separation of duties had been resolved, we found that\n       weaknesses in these areas continued to exist at various sites.\n\nSimilar to our observations during past evaluations, these internal control weaknesses\nexisted, at least in part, because not all Department program organizations, including the\nNNSA, had revised and implemented policies incorporating Federal and Departmental\ncyber security requirements in a timely manner. Program officials had also not\neffectively performed management review activities essential for evaluating the adequacy\nof cyber security performance. In some cases, officials had not ensured that weaknesses\ndiscovered during audits and other examinations were recorded and tracked to resolution.\nAs a consequence, the risk of compromise to the Department\'s information and systems\nremained higher than necessary.\n\nTo assist the continuing efforts to improve, we made several recommendations designed\nto help strengthen the Department\'s unclassified cyber security program and thereby\nprotect its computer resources from unauthorized modification, loss, or disclosure of\ninformation.\n\nDue to security considerations, information on specific vulnerabilities and locations has\nbeen omitted from this report. Management officials at the sites evaluated were provided\nwith detailed information regarding identified vulnerabilities, and, in many instances,\ninitiated corrective actions.\n\x0cMANAGEMENT REACTION\n\nManagement concurred with our findings and recommendations. Management\'s\ncomments are included in their entirety in Appendix 3.\n\nAttachment\n\ncc: Acting Deputy Secretary\n    Administrator, National Nuclear Security Administration\n    Under Secretary for Science\n    Under Secretary of Energy\n    Chief of Staff\n    Chief Information Officer\n\x0cEVALUATION REPORT ON THE DEPARTMENT\'S UNCLASSIFIED\nCYBER SECURITY PROGRAM - 2008\n\n\nTABLE OF\nCONTENTS\n\n\nUnclassified Cyber Security Program\n\nDetails of Finding ....................................................................................................1\n\nRecommendations and Comments...........................................................................9\n\nAppendices\n\n1.    Objective, Scope, and Methodology ..............................................................11\n\n2.    Prior Reports...................................................................................................13\n\n3.    Management Comments.................................................................................17\n\x0cUnclassified Cyber Security Program\n\nProgram                   The Department of Energy (Department or DOE) continued\nImprovements              to make progress in enhancing its unclassified cyber\n                          security program and addressing previously identified\n                          cyber security weaknesses. For instance:\n\n                             \xe2\x80\xa2   Various sites took steps to correct previously\n                                 identified weaknesses by strengthening system\n                                 access controls and configuration management,\n                                 implementing segregation of duties, developing\n                                 contingency plans, and updating local cyber\n                                 security policies and procedures;\n\n                             \xe2\x80\xa2   Although not fully implemented, the Office of Chief\n                                 Information Officer (OCIO), the National Nuclear\n                                 Security Administration (NNSA), and the Office of\n                                 the Under Secretary had recently issued revised\n                                 policy that provided direction on management,\n                                 operating, and technical controls;\n\n                             \xe2\x80\xa2   NNSA and program elements incorporated Federal\n                                 cyber security requirements into a number of\n                                 management and operating contracts;\n\n                             \xe2\x80\xa2   Action had been initiated to eliminate duplicative\n                                 incident response capabilities; and,\n\n                             \xe2\x80\xa2   Finally, a formal working group was established to\n                                 ensure that Department cyber security guidance\n                                 complied with National Institute of Standards and\n                                 Technology (NIST) guidance.\n\nManaging Cyber            The Department continued to improve the management of\nRelated Risk              its cyber security program. However, additional action is\n                          needed to reduce the risk of compromise to information\n                          systems and data. In particular, weaknesses continued to\n                          exist in the Department\'s certification and accreditation\n                          (C&A) process, systems inventory, contingency planning,\n                          cyber security incident management, and privacy\n                          information controls. These processes are essential for\n                          ensuring a comprehensive and effective risk management\n                          strategy for protecting information technology systems and\n                          data.\n\n                                        Certification and Accreditation\n\n                      System C&A are critical activities that support a risk\n                      management process and are an integral part of an\n________________________________________________________________\nPage 1                                                       Details of Finding\n\x0c                           agency\'s information security program. A strong and\n                           comprehensive process is necessary to ensure that agency\n                           officials have the most complete, accurate and trustworthy\n                           information possible on the security status of their\n                           information systems in order to make informed decisions\n                           on whether to authorize their operation. However, our\n                           evaluation revealed weaknesses in the process at three sites.\n                           We also noted that problems identified at four other sites\n                           during our Fiscal Year (FY) 2006 evaluation had not yet\n                           been completely corrected. Specifically:\n\n                              \xe2\x80\xa2   System security plans at five sites were missing\n                                  essential components such as descriptions of\n                                  mandatory security controls. This information is\n                                  necessary for management to determine that all\n                                  systems risks have been fully considered and\n                                  mitigating controls are in place, as necessary;\n\n                              \xe2\x80\xa2   Required annual self-assessments of mandatory\n                                  security controls had not been performed at four\n                                  sites. Such assessments allow management to\n                                  identify deficiencies in security controls and the\n                                  extent to which corrective actions are necessary;\n\n                              \xe2\x80\xa2   Independent assessments of security controls had\n                                  not been adequately performed in conjunction with\n                                  the certification process at four sites. Such\n                                  assessments help provide assurance of the adequacy\n                                  of security controls;\n\n                              \xe2\x80\xa2   Testing of security controls at one site was not\n                                  adequate, in that it did not incorporate an evaluation\n                                  of certain mandatory security controls. Inadequate\n                                  testing could potentially result in undetected cyber\n                                  security weaknesses; and,\n\n                              \xe2\x80\xa2   Two sites had not yet completed C&A for certain\n                                  systems, a deficiency first reported in FY 2006.\n\n                                                Systems Inventory\n\n                      Despite a longstanding need, the Department had not yet\n                      established a complex-wide inventory of information\n                      systems. Agencies are required to develop an inventory\n                      that includes an identification of the interfaces between\n                      each system and all other systems or networks, including\n                      those not operated by or under the control of the agency.\n________________________________________________________________\nPage 2                                                         Details of Finding\n\x0c                      Per Office of Management and Budget (OMB) guidance,\n                      self-reporting of contractor systems or networks used or\n                      operated by a contractor on behalf of an agency without\n                      agency verification or validation by the agency is not\n                      sufficient. If properly implemented, an automated asset\n                      management system could assist the Department in not\n                      only Federal Information Security Management Act\n                      (FISMA) reporting, but also in areas such as risk\n                      management, capital planning, and configuration\n                      management.\n\n                      To meet FISMA reporting requirements, the Department\'s\n                      current systems inventory process consists of an annual\n                      data call to sites and organizations, resulting in inventory\n                      information that is received too late to be adequately\n                      verified or validated complex-wide. Such information also\n                      does not identify interfaces between each system and all\n                      other systems or networks, including those not operated by\n                      or under the control of the agency. As a substitute for the\n                      annual data calls, the Department has initiated an effort to\n                      deploy several FISMA reporting tools with capabilities to\n                      capture systems inventory information. However, this\n                      initiative, begun in FY 2007, had not been completed.\n                      While viewed as an incremental step by one Department\n                      official, another noted that the tools would not provide the\n                      benefits of a fully automated complex-wide asset\n                      management system, including actual identification of\n                      system connections and timely configuration and patch\n                      management capabilities.\n\n                             Contingency and Disaster Recovery Planning\n\n                      Although contingency planning processes at several sites\n                      improved, we found that other sites had not initiated or\n                      completed actions necessary to ensure that critical\n                      operations could be recovered or established at a secondary\n                      processing location in the event of a major disruption of\n                      services. Specifically, our evaluation disclosed problems\n                      with contingency plans at three sites. For instance, one site\n                      had not adequately developed and tested its contingency\n                      plans. Had it done so, this site would most likely have\n                      determined that it\'s primary and secondary processing\n                      locations were interdependent, as well as in close proximity\n                      to each other and therefore subject to the same hazards.\n\n\n\n\n________________________________________________________________\nPage 3                                            Details of Finding\n\x0c                                      Cyber Incident Management\n\n                      We noted that individual program and cyber incident\n                      response organizations were not required to adhere to a\n                      coordinated/common approach for incident reporting. As a\n                      consequence, incident reports reaching the Department\'s\n                      Computer Incident Advisory Capability lacked essential\n                      elements for reporting to law enforcement and subsequent\n                      analysis for trending. Also, in the event of a multi-site\n                      cyber attack on the Department\'s networks and systems,\n                      this reporting environment made it difficult for the\n                      Department to develop a coordinated response. These\n                      issues were highlighted in our report on The Department\'s\n                      Cyber Security Incident Management Program (DOE/IG-\n                      0787, January 2008). To the Department\'s credit, when we\n                      informed management of these issues, corrective actions\n                      were initiated. Specifically, a comprehensive plan is now\n                      underway to implement an Enterprise Incident Capability\n                      to eliminate duplicative activities and improve incident\n                      management. Management had established a target date of\n                      December 31, 2008, for eliminating this duplication.\n\n                                     Privacy Information Controls\n\n                      Although progress had been made, the Department had not\n                      fully assessed the risk to personally identifiable information\n                      (PII) on its systems and provided assurance that\n                      information collected and maintained was adequately\n                      protected from loss or unauthorized disclosure. The\n                      protection of PII in Federal systems is critical because its\n                      loss or disclosure can lead to serious consequences to\n                      individuals, such as identity theft. During the evaluation,\n                      we observed that the Department had completed, approved,\n                      and posted privacy impact assessments for a number of\n                      systems that collect and maintain privacy information, in\n                      accordance with OMB direction. However, we also noted\n                      that, privacy impact assessments of certain systems either\n                      had not been performed or were missing key information\n                      for providing assurance of adequate protection.\n                      Specifically, one Department organization had not\n                      completed and submitted privacy impact assessments for\n                      approval by the Chief Privacy Officer, despite having\n                      systems that collect and maintain such information. Also,\n                      approved privacy impact assessments for other Department\n                      organizations were missing necessary information. This\n                      information should have been supplied at the time of\n                      approval, since it was necessary to provide the level of\n________________________________________________________________\nPage 4                                            Details of Finding\n\x0c                      assurance that risks had been properly assessed and\n                      protective measures were adequate. We also noted that\n                      content on a number of the Department\'s publicly\n                      accessible web servers was not always controlled and\n                      periodically reviewed. These weaknesses contributed to a\n                      number of incidents that involved the exposure of PII to\n                      unauthorized or malicious sources.\n\nSecurity Controls     The Department had not resolved certain previously\n                      identified weaknesses at several sites in the area of\n                      configuration management. We also identified new\n                      weaknesses in segregation of duties and access control\n                      areas at other sites. Controls such as these are vital for\n                      preventing unauthorized access and modification to\n                      systems or information. Our testing did confirm that a\n                      number of previously reported cyber security control\n                      deficiencies had been corrected.\n\n                                            Access Controls\n\n                      While sites corrected access control problems identified\n                      during our previous evaluations, work performed this past\n                      year has disclosed new weaknesses at three sites. Access\n                      controls consist of both physical and logical measures\n                      designed to protect information resources from\n                      unauthorized modification, loss, or disclosure. To ensure\n                      that only authorized individuals can gain access to\n                      networks or systems, controls of this type need to be strong\n                      and functional. However, we noted the following:\n\n                         \xe2\x80\xa2   At one site, an administrator of a financial system\n                             was granted excessive privileges that were not\n                             required to perform assigned duties. These\n                             excessive privileges, if exploited, could permit\n                             unauthorized modification to the system or\n                             information. Passwords for this system were also\n                             not of sufficient strength;\n\n                         \xe2\x80\xa2   At the same site, insufficient reviews were\n                             performed of user access to the network. Such\n                             reviews are essential to determine whether users\n                             who no longer have a valid need for information\n                             resources because of job changes or resignations\n                             have their access removed in a timely manner;\n\n                         \xe2\x80\xa2   Another site allowed excessive login attempts on its\n                             network, thereby limiting the ability to prevent\n________________________________________________________________\nPage 5                                            Details of Finding\n\x0c                             unauthorized access through repeated password\n                             guessing; and,\n\n                         \xe2\x80\xa2   A third site allowed unsupervised foreign visitors to\n                             use their laptops while connecting to the site\'s\n                             Intranet. Such connection could have permitted\n                             individuals to probe the site\'s network for\n                             vulnerabilities, implant malicious code, or remove\n                             data without authorization.\n\n                                         Segregation of Duties\n\n                      One site did not maintain adequate segregation of duties on\n                      a financial system. Proper segregation of duties reduces the\n                      risk of fraudulent activities by separating personnel\n                      activities through operating procedures, supervision, and\n                      review. Specifically, application developers had access to\n                      the production portion of the financial system, which could\n                      enable them to introduce untested or unapproved changes\n                      to the system. Furthermore, the site had not enacted the\n                      compensating control of management review and approval\n                      of developer activities.\n\n                                      Configuration Management\n\n                      We continued to identify configuration management issues\n                      in the Department. Controls of this type are an integral\n                      component of a strong security policy and help to ensure\n                      that computer applications and systems are consistently\n                      configured with minimum security standards to prevent and\n                      protect against unauthorized modifications. Our evaluation\n                      identified weaknesses at a number of the Department\'s\n                      sites. Specifically:\n\n                         \xe2\x80\xa2   Two sites were using versions of application and\n                             operating system software that were outdated or not\n                             appropriately patched. If software with known\n                             vulnerabilities is not updated in a timely manner,\n                             risk increases that systems could be compromised;\n\n                         \xe2\x80\xa2   A number of Department sites or organizations had\n                             not disabled unneeded computer services for their\n                             publicly accessible websites. These services\n                             increased the risk of malicious damage to these\n                             websites;\n\n\n________________________________________________________________\nPage 6                                            Details of Finding\n\x0c                         \xe2\x80\xa2   Although the Department had developed and\n                             published policy requiring the adoption of standard\n                             desktop configurations, including standard security\n                             settings, certain organizations and sites had not yet\n                             implemented the protective measures;\n\n                         \xe2\x80\xa2   At one site, a financial system was not set to log\n                             account administration activity, an essential control\n                             which permits management reviews; and,\n\n                         \xe2\x80\xa2   Security controls at another site on most computers\n                             assigned to foreign nationals from non-sensitive\n                             countries were not implemented. This problem\n                             could enable users to modify log-on settings, load\n                             unauthorized software, remove installed software,\n                             change computer settings, and ultimately permit\n                             unauthorized access to the site\'s information\n                             systems.\n\nCyber Security        The problems identified occurred, at least in part, because\nProgram Management    NNSA and certain Department program elements had not\n                      revised and implemented policies and guidance\n                      incorporating Federal and Departmental cyber security\n                      requirements in a timely manner. They also had not\n                      effectively performed review and oversight activities\n                      essential for evaluating the adequacy of cyber security\n                      performance, and had not ensured that Plans of Action &\n                      Milestones (POA&M) were used effectively.\n\n                        Cyber Security Policy Development and Implementation\n\n                      Department elements did not act in a timely manner to\n                      revise and issue policies and guidance to incorporate\n                      Federal and Departmental cyber security requirements, thus\n                      limiting their use by sites and organizations during FY\n                      2008. For instance, NNSA did not approve its Policy\n                      Letters until May 2008, eight months into FY 2008. An\n                      NNSA official told us that site implementation could not be\n                      expected until sometime in FY 2009. Also, recently issued\n                      cyber security incident reporting guidance does not fully\n                      address reporting issues and coordination issues facing the\n                      various cyber intrusion and analysis organizations and does\n                      not specifically require that incidents be reported to law\n                      enforcement or counterintelligence officials. Clear\n                      policies, with timely implementation, are necessary to\n                      ensure that a consistent baseline exists for monitoring\n                      performance.\n________________________________________________________________\nPage 7                                            Details of Finding\n\x0c                                         Management Review\n\n                      As with last year\'s evaluation, various levels of Department\n                      management had not effectively performed review and\n                      management activities essential for evaluating the adequacy\n                      of cyber security performance, and had not ensured that\n                      POA&Ms were always used effectively. For instance, as of\n                      August 2008, 33 reviews of C&A packages had been\n                      conducted by a compliance team for the OCIO. However,\n                      an official indicated that the compliance team had not\n                      published or provided feedback to the submitting\n                      organizations regarding the reviews. Also, the Office of\n                      Science discontinued its site assisted visits process. This\n                      process had been established to increase the effectiveness\n                      of the security program and to address findings in prior\n                      evaluation reports. When asked about a replacement for\n                      the process, an official indicated that an agreement would\n                      be explored with the Office of Cyber Security Evaluations\n                      to assist in performing this function.\n\n                      Despite concurring with a prior OIG recommendation,\n                      NNSA had taken only limited action to establish an\n                      oversight process to ensure effective implementation of\n                      Federal cyber security requirements by field organizations\n                      and facility contractors. An official indicated that NNSA\n                      was in the process of changing their site assessment\n                      program. While four assessments had been completed by\n                      NNSA, no additional ones had been scheduled. We also\n                      noted problems in the manner that certain of these\n                      assessments were performed. For instance, one assessment\n                      cited significant weaknesses that required resolution, but\n                      nonetheless granted a passing score.\n\n                      We also noted ongoing problems regarding the use of\n                      POA&Ms as a management tool for tracking all known\n                      cyber security weaknesses to resolution. As noted in NIST\n                      guidance, POA&Ms are important for managing an entity\'s\n                      progress towards eliminating gaps between required\n                      security controls and those that are actually in place. The\n                      Department concurred with the recommendations in our\n                      Evaluation Report on The Department\'s Unclassified Cyber\n                      Security Program - 2007 (DOE/IG-0776, September 2007),\n                      and indicated that it would ensure that POA&Ms would be\n                      utilized as a tool for prioritizing corrective actions and\n                      tracking all known cyber security weaknesses to resolution.\n                      However, we observed that this action had not been\n                      adequately implemented. Specifically, we found that the\n________________________________________________________________\nPage 8                                            Details of Finding\n\x0c                         POA&Ms did not contain all cyber security weaknesses\n                         identified by the Office of Health, Safety and Security,\n                         Office of Inspector General, and the Government\n                         Accountability Office. Until the POA&Ms capture all\n                         identified weaknesses, they will not be an effective tool for\n                         reporting, prioritizing, and resolving vulnerabilities such as\n                         those identified in this report. Furthermore, we also\n                         determined that 27 percent of the weaknesses identified\n                         were about one year beyond their projected remediation\n                         dates.\n\nThreats to Information   During FY 2008, the Department took a number of positive\nTechnology Assets        and proactive steps designed to improve its cyber security\nAnd Data                 program. As recognized by senior Department officials,\n                         such action is necessary to protect systems and the\n                         information they contain from increasingly sophisticated\n                         and persistent attacks. The importance and need for\n                         sustained action is well demonstrated by the increases in\n                         reported cyber security incidents across the complex.\n                         Despite strong defense-in-depth network protective\n                         measures, and with over a month remaining in FY 2008 at\n                         the time of our evaluation, sites had reported 480 cyber\n                         security incidents affecting 703 machines to the\n                         Department\'s Computer Incident Advisory Capability. This\n                         represents an increase of about 45 percent over the prior\n                         year and about 136 percent since 2004. In addition, 127\n                         incidents involved PII, an increase of about 165 percent\n                         from those reported in FY 2007.\n\n\nRECOMMENDATIONS          To correct the weaknesses identified in this report and\n                         improve the effectiveness of the Department\'s cyber\n                         security program, we recommend that the Department and\n                         the NNSA Chief Information Officers, in coordination with\n                         the Under Secretaries for Energy and Science, as\n                         appropriate:\n\n\n                            1. Correct, through the implementation of\n                               management, operational, and technical controls,\n                               each of the specific vulnerabilities identified in this\n                               report;\n\n                            2. Ensure that development and implementation of\n                               cyber security policies, including Program Cyber\n                               Security Plans, are in accordance with appropriate\n                               Federal and Departmental requirements;\n________________________________________________________________\nPage 9                              Recommendations and Comments\n\x0c                         3. Strengthen the management review process to\n                            include:\n\n                               \xe2\x80\xa2   Better monitoring of field sites to ensure the\n                                   adequacy of cyber security program\n                                   performance, and,\n\n                               \xe2\x80\xa2   Utilizing the POA&Ms for capturing and\n                                   tracking all known cyber security\n                                   weaknesses to completion.\n\n\nMANAGEMENT           The Department and NNSA agreed with the information\nREACTION             contained in the report and concurred with each of the\n                     specific recommendations. Management added that it\n                     would take corrective action on specific findings and\n                     continue to work to improve its cyber security posture.\n\n\nAUDITOR              Management\'s comments are generally responsive to our\nCOMMENTS             recommendations.\n\n\n                     .\n\n\n\n\n________________________________________________________________\nPage 10                             Recommendations and Comments\n\x0cAppendix 1\n\nOBJECTIVE             To determine whether the Department of Energy\'s\n                      (Department) Unclassified Cyber Security Program\n                      adequately protected data and information systems.\n\n\nSCOPE                 The evaluation was performed between February 2008 and\n                      September 2008 at numerous locations. Specifically, we\n                      performed an assessment of the Department\'s Unclassified\n                      Cyber Security Program. The evaluation included a limited\n                      review of general and application controls in areas such as\n                      entity-wide security planning and management, access\n                      controls, application software development and change\n                      controls, and service continuity. Our work did not include\n                      a determination of whether vulnerabilities found were\n                      actually exploited and used to circumvent existing controls.\n                      The Office of Independent Oversight performed a separate\n                      evaluation of the Department\xe2\x80\x99s Information Security\n                      Program for National Security Systems.\n\n\nMETHODOLOGY           To accomplish our objective, we:\n\n                         \xe2\x80\xa2   Reviewed applicable laws and directives pertaining\n                             to cyber security and information technology\n                             resources such as the Federal Information Security\n                             Management Act, Office of Management and\n                             Budget Circular A-130 (Appendix III), and DOE\n                             Order 205.1A Department of Energy Cyber\n                             Security Management;\n\n                         \xe2\x80\xa2   Reviewed applicable standards and guidance issued\n                             by the National Institute of Standards and\n                             Technology;\n\n                         \xe2\x80\xa2   Reviewed the Department\'s overall cyber security\n                             program management, policies, procedures, and\n                             practices throughout the organization;\n\n                         \xe2\x80\xa2   Assessed controls over network operations and\n                             systems to determine the effectiveness related to\n                             safeguarding information resources from\n                             unauthorized internal and external sources;\n\n                         \xe2\x80\xa2   Evaluated selected Headquarters\' offices and field\n                             sites in conjunction with the annual audit of the\n\n\n________________________________________________________________\nPage 11                           Objective, Scope, and Methodology\n\x0cAppendix 1 (continued)\n\n                             Department\'s Consolidated Financial Statements,\n                             utilizing work performed by KPMG LLP, the Office of\n                             Inspector General (OIG) contract auditor. OIG and\n                             KPMG work included analysis and testing of general\n                             and application controls for systems as well as\n                             vulnerability and penetration testing of networks; and,\n\n                         \xe2\x80\xa2   Evaluated and incorporated the results of other cyber\n                             security review work performed by OIG, KPMG, the\n                             Department\'s Office of Independent Oversight, and the\n                             Government Accountability Office.\n\n                      The evaluation was conducted in accordance with generally\n                      accepted Government auditing standards for performance\n                      audits. Those standards require that we plan and perform the\n                      effort to obtain sufficient, appropriate evidence to provide a\n                      reasonable basis for our finding and conclusions based on our\n                      objective. We believe that the evidence obtained provides a\n                      reasonable basis for our finding and conclusions based on our\n                      objective. Accordingly, we assessed significant internal\n                      controls and the Department\'s implementation of the\n                      Government Performance and Results Act of 1993 and\n                      determined that it had established performance measures for\n                      unclassified cyber security. Because our evaluation was\n                      limited, it would not have necessarily disclosed all internal\n                      control deficiencies that may have existed at the time of our\n                      evaluation. We did not rely solely on computer-processed data\n                      to satisfy the objective of the evaluation. However, computer-\n                      assisted audit tools were used to perform probes of various\n                      networks and drives. We validated the results of the scans by\n                      confirming the weaknesses disclosed with responsible on-site\n                      personnel and performed other procedures to satisfy ourselves\n                      as to the reliability and competence of the data produced by the\n                      tests. In addition, we confirmed the validity of other data,\n                      when appropriate, by reviewing supporting source documents.\n\n                      The Department waived an exit conference.\n\n\n\n\n___________________________________________________________________\nPage 12                              Objective, Scope, and Methodology\n\x0cAppendix 2\n\n\n                                     PRIOR REPORTS\n\nOffice of Inspector General Reports\n\n   \xe2\x80\xa2   Special Report on The Department\'s Unclassified Foreign Visits and Assignments\n       Program (DOE/IG-0791, March 2008). The Department of Energy\'s (Department),\n       Office of Inspector General (OIG) discovered that the National Nuclear Security\n       Administration (NNSA) had not fully mitigated the risk of foreign nationals gaining\n       unauthorized access to its unclassified Intranet. An incident involving cyber security\n       occurred was noted because of this deficiency. Not all computers assigned to foreign\n       nationals and assignees were properly installed with security features that would\n       prevent one from circumventing security measures such as modifying log-on setting,\n       loading unauthorized software, removing software, and changing systems. In addition,\n       some foreign visitors and assignees had unsupervised use of their foreign government,\n       university, or business laptops within laboratory facilities which had live Intranet\n       connections.\n\n   \xe2\x80\xa2   Audit Report on Management of the Department\'s Publicly Accessible Websites\n       (DOE/IG-0789, March 2008). Our audit revealed that some of the Department\'s\n       publicly accessible websites did not meet Federal accessibility requirements or\n       contingency planning and emergency response best practices. In addition, content on\n       publicly accessible web servers was not always controlled and reviewed periodically.\n       This resulted in an additional eight instances that involved personally identifiable\n       information (PII) being exposed to unauthorized or malicious sources. In addition, the\n       majority of the organizations failed to implement contingency/emergency planning,\n       provide accessibility to those with disabilities, and limit/disable unneeded computer\n       services due to the lack of guidance from Headquarters and deficiencies in site-level\n       management and control.\n\n   \xe2\x80\xa2   Audit Report on The Department\'s Cyber Security Incident Management Program\n       (DOE/IG-0787, January 2008). Our audit found that program elements and facility\n       contractors had established and operated as many as eight independent cyber security\n       intrusion and analysis organizations whose missions and functions were partially\n       duplicative and not well coordinated. Sites could also choose whether to participate in\n       network monitoring activities performed by the organizations. Furthermore, the\n       Department had not adequately addressed related issues through policy changes, even\n       though it had identified and acknowledged weaknesses in its cyber security incident\n       management and response program.\n\n   \xe2\x80\xa2   Inspection Report on Incident of Security Concern at the Y-12 National Security\n       Complex (DOE/IG-0785, January 2008). An unclassified laptop computer was brought\n       into Y-12\'s limited area without proper authorization and it was not detained by cyber\n       security personnel. The written report for this incident was not completed within the 32\n       two hour reporting requirement under the Department\'s Incidents of Security Concern\n       Program. The investigation determined that 37 additional laptop computers may have\n\n___________________________________________________________________\nPage 13                                                  Prior Reports\n\x0cAppendix 2 (continued)\n\n      been improperly introduced into the Limited Area by Oak Ridge National Laboratory\n      (ORNL) personnel in recent years. These incidents were not properly reported in a\n      timely manner.\n\n  \xe2\x80\xa2   Special Report on The Management Challenges at the Department of Energy (DOE/IG-\n      0782, December 2007). Cyber security was identified as one of the management\n      challenge areas due to several DOE OIG reviews which emphasized the need to\n      improve the Department\'s overall cyber security program. Despite recent efforts and\n      progress, the Department had not completed its complex-wide inventory for the\n      information systems and certification and accreditation (C&A) of many systems was\n      inadequate.\n\n  \xe2\x80\xa2   Audit Report on the Continuity of Operations at Bonneville Power Administration\n      (DOE/IG-0781, November 2007). Bonneville\'s continuity of operations capability was\n      not fully compliant with Federal Preparedness Circular 65 (FPC 65) for all of its\n      essential functions. Specifically, Bonneville\'s primary and alternate facilities for power\n      scheduling were interdependent as well as in close proximity, therefore, were subject to\n      the same hazards. In addition, Bonneville\'s plan to recover transmission scheduling\n      from disruptions to its primary automated system relied in part on a manual process\n      rather than a fully automated system as required by FPC 65.\n\n  \xe2\x80\xa2   Evaluation Report on The Department\'s Unclassified Cyber Security Program - 2007\n      (DOE/IG-0776, September 2007). Problems persisted with the certification and\n      accreditation of Department\'s systems related to assessing risks and ensuring the\n      adequacy of security controls. The Department had not established a complex-wide\n      inventory system and a number of organizations still had not ensured their contingency\n      plans are in working order. Additional deficiencies were identified that reduce the\n      Department\'s ability to protect its computer resources from unauthorized actions, so the\n      Department could not always ensure the personal information on agency systems was\n      adequately protected. Therefore, the risk of compromise to the Department\'s\n      information and systems remains higher than acceptable.\n\n  \xe2\x80\xa2   Audit Report on Security Over Personally Identifiable Information (DOE/IG-0771, July\n      2007). The Department had not fully implemented all protective measures\n      recommended by the Office of Management and Budget (OMB) and required by the\n      National Institute of Standards and Technology (NIST). In particular, we observed that\n      sites reviewed had not identified information systems containing personally identifiable\n      information (PII), or fully evaluated the risks of exposing PII stored in such systems;\n      controls for securing remote access to site-level systems containing personal\n      information had not been fully implemented; and sites had not identified mobile\n      computing devices containing PII nor ensured that this information was encrypted as\n      required by OMB. These problems occurred because Headquarters and site-specific\n      policies did not address all OMB and NIST requirements. Even when policies were\n      clear, programs and sites did not always enforce the requirements to ensure that all\n      necessary controls were in place for protecting PII.\n\n\n\n___________________________________________________________________\nPage 14                                                  Prior Reports\n\x0cAppendix 2 (continued)\n\n  \xe2\x80\xa2   Audit Report on The National Nuclear Security Administration\'s Implementation of the\n      Federal Information Security Management Act (DOE/IG-0758, February 2007). Cyber\n      security weaknesses have been a continuing challenge for NNSA. Specifically, NNSA\n      did not always properly implement its own guidance as well as Departmental and\n      Federal cyber security requirements. In addition, NNSA had not performed regular\n      monitoring activities essential to evaluating the adequacy of cyber security program\n      performance. As a consequence, NNSA\'s unclassified information systems and\n      networks and the data they contain remain at risk of being compromised, including the\n      possible unlawful diversion of operational data, PII, or other critical information.\n\n  \xe2\x80\xa2   Inspection Report on Excessing of Computers Used for Unclassified Controlled\n      Information at the Idaho National Laboratory (DOE/IG-0757, February 2007).\n      Personnel at Idaho National Laboratory (INL) had sold a computer containing\n      unclassified controlled information that included personal information at a public\n      auction in October 2004. When a new company was awarded a contract to manage\n      INL, the Idaho Operations Office delayed incorporating updated Department directives\n      and used existing internal policies and procedures for computer disposal during a 16-\n      month period beginning in November 2004. INL did not have adequate policies and\n      internal controls for excessing computers and other electronic memory devices to\n      prevent the unauthorized dissemination of unclassified controlled information.\n\n  \xe2\x80\xa2   Audit Report on Certification and Accreditation of Unclassified Information Systems\n      (DOE/IG-0752, January 2007). Despite recent efforts by the Department to enhance\n      cyber security guidance, many systems were not properly certified and accredited prior\n      to becoming operational. For example, 9 of the 14 sites reviewed did not properly\n      access security risks to their systems and did not adequately test and evaluate security\n      controls. In many instances, senior agency officials accredited systems although\n      required documentation was inadequate or incomplete, such as incomplete inventories\n      of software and hardware included within defined accreditation boundaries. In\n      addition, the Office of the Chief Information Officer and program elements did not\n      adequately review completed activities for quality or compliance with requirements.\n\n  \xe2\x80\xa2   Special Inquiry on Selected Controls over Classified Information at the Los Alamos\n      National Laboratory (November 2006). Classified documents were found on a flash\n      drive during a search by Los Alamos County Police at the home of a Los Alamos\n      National Laboratory contractor employee. From this inquiry, we found that the security\n      framework at the lab was seriously flawed. Contributing factors were that security\n      policy in a number of key areas was non-existent, applied inconsistently, or not\n      followed. In addition, monitoring by both Laboratory and Federal officials was\n      inadequate; critical security functions were not adequately segregated; and, physical\n      verification of the accuracy of security plans by Federal and Laboratory officials was\n      not performed.\n\n\n\n\n___________________________________________________________________\nPage 15                                                  Prior Reports\n\x0cAppendix 2 (continued)\n\nGovernment Accountability Office Reports\n\n   \xe2\x80\xa2   Information Security Progress Reported, but Weaknesses at Federal Agencies Persist\n       (GAO-08-571T, March 2008).\n\n   \xe2\x80\xa2   Information Security - Although Progress Reported, Federal Agencies Need to Resolve\n       Significant Deficiencies (GAO-08-496T, February 2008).\n\n   \xe2\x80\xa2   Information Security: Protecting Personally Identifiable Information (GAO-08-343,\n       January 2008).\n\n   \xe2\x80\xa2   Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats\n       (GAO-07-705, June 2007).\n\n   \xe2\x80\xa2   Information Security: Persistent Weaknesses Highlight Need for Further Improvement\n       (GAO-07-751T, April 2007).\n\nOffice of Health, Safety and Security Reports\n\n   \xe2\x80\xa2   Independent Oversight Classified and Unclassified Cyber Security Inspection of the\n       Livermore Site Office and the Lawrence Livermore National Laboratory, June 2008.\n\n   \xe2\x80\xa2   Independent Oversight Red Team Activity Report, 2007 Facility Representative\n       Workshop, March 2008.\n\n   \xe2\x80\xa2   Office of Independent Oversight Cyber Security Inspection of the Sandia Site Office and\n       the Sandia National Laboratories (U), December 2007.\n\n   \xe2\x80\xa2   Independent Oversight Inspection of Classified and Unclassified Cyber Security at the\n       Nevada Site Office and Nevada Test Site, December 2007.\n\n   \xe2\x80\xa2   Independent Oversight Inspection of Cyber Security at the U.S. Department of Energy\n       Headquarters, October 2007.\n\n\n\n\n___________________________________________________________________\nPage 16                                                  Prior Reports\n\x0cAppendix 3\n\n\n\n\n___________________________________________________________________\nPage 17                                         Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\n___________________________________________________________________\nPage 18                                         Management Comments\n\x0c                                                             IG Report No. DOE/IG-0801\n\n                       CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding\n   this report?\n\n2. What additional information related to findings and recommendations could have\n   been included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s\n   overall message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the\n   issues discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should\n   we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n\n                           Office of Inspector General (IG-1)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\n\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Judy Garland-Smith (202) 586-7828.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                  http://www.ig.energy.gov\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'